To prevent email spam and other malicious activities, email providers have attempted to identify attackers based on abnormal signatures associated with their activities. However, as the attackers evolved and changed their strategies, the abnormal signatures changed as well, making it more difficult for email providers to detect the activities.
Other defenses include reputation systems that assign a reputation score to each of the users based on a set of rules that examine an individual user's email communication patterns. However, the set of rules for detecting attackers are not robust and attackers can easily game the system once they learn the rules. Yet another is a geolocation-based defense system, which marks a user as suspicious if the user logins are from disparate geographic locations. However, geolocation-based systems can be defeated by changing the login pattern of user accounts under control of attackers.